Going to the cloud doesn’t mean freedom from security issues. Cloud services are targets just as much as on-premises systems. As they grow in popularity, dishonest people see opportunities to steal information and resources from complacent users. Organizations that rely on cloud services need security measures for them.
A large business typically has many services to keep track of, any of which could be exposed to threats. It needs a way to identify issues throughout its infrastructure. The protective systems need to catch all serious problems, but they have to be smart enough not to flood administrators with false alarms. Azure Sentinel, a new service currently in preview, is a SIEM which provides integrated security management enhanced by artificial intelligence.
An Azure-Native SIEM
What is a SIEM? The term stands for Security Information and Event Management. It’s the name for software that provides a unified overview of security status in an infrastructure. Information comes from many sources, primarily system logs, and is organized into views that cover everything. Indeed, the functionality includes event collection, reporting of issues, and mapping of diverse information sources to consistent terminology.
Azure Sentinel is a SIEM which is native to Azure. Microsoft announced the preview release at the end of February 2019. It’s available to anyone with an Azure account. Other cloud SIEM tools exist, but this one comes from the people who know Azure best. The Microsoft SIEM integrates with many Azure services. Pricing is similar to other Azure services; there’s no up-front cost, and the amount billed for it depends on usage.
Use of Sentinel is free during the preview period, but there could be charges for services it invokes, such as playbooks.
Sentinel isn’t limited to monitoring the Azure cloud. It can collect log information from any source, including other clouds and on-premises systems. Thus, this allows full coverage of hybrid and multi-cloud infrastructures.
As of this writing, Azure Sentinel is in the preview, and it’s not recommended for production environments. Indeed, no SLA is available. This is a time for trying it out and getting experience with it, to be ready for the official release.
From the administrator’s viewpoint, the epicenter of Sentinel is the dashboard. It provides many ways of looking at the security situation. The toolbar gives information about the number of events and alerts over a time period, as well as the number of new, investigated, and closed events.
Below the toolbar, a number of views are available. The administrator can get a geospatial view of potentially malicious incidents on a world map. Indeed, built-in dashboards include Azure AD logs, firewall information, insecure protocols, Azure activity, and much more.
Creation of custom dashboards is straightforward, and their creators can share them using role-based authorization. Thus, people with different roles in IT may have access to all dashboards or just the ones relevant to their jobs.
Sentinel is built on Azure Log Analytics. It collects information from various security logs and turns the information into a manageable form. The strongest initial emphasis is on Microsoft 365.
The services Sentinel collects information from or soon will be able to, include Azure Identity Protection, Microsoft Cloud App Security, Advanced Threat Protection, and Azure Information Protection. Integration with some third-party tools, such as Cisco ASA and various firewalls, is already available, and more will come.
Adding custom connectors isn’t too hard. Azure can deal with any input in Syslog format or Common Event Format. Its REST API makes it convenient to connect other data sources.
Correlating Events With Machine Learning
Sentinel makes information more manageable with machine learning, including built-in ML and an optional module called Fusion. Third parties can add “build-your-own” ML. They recognize patterns which are especially suspicious, such as logging in from an unusual IP address followed by a massive file download.
Using these features, Sentinel takes its large volume of incoming information and correlates it into cases. A “case” is a group of related alerts that all point to the same problem. Thus, presenting information as cases reduces “alert fatigue”, where administrators receive many redundant alerts.
Automation and Orchestration
A warning of a problem is useful only if it gets a prompt and effective response. Sentinel supports automated threat responses in the form of “playbooks”. Playbooks, built on Azure Logic Apps, set up a series of procedures to run when the situation warrants it. Administrators can run playbooks manually or set up triggering events to launch them. A playbook can take actions such as opening a ticket, sending an SMS or email alert, or disabling an account. Pre-defined playbooks are available for common situations. Administrators can create their own using the Logic App tools.
An exciting feature of Sentinel is the ability to do “hunting” and deep investigations of issues. The process starts from the Cases page on the dashboard. Cases can be filtered by criteria such as status and severity. The page for a single case gives information about the alerts it’s built out of. It shows triggered alerts reasonings. Thus, the administrator looking at it can assign the case to someone or click the “Investigate” button to get more information. It’s also possible to run a playbook to initiate a standardized procedure for processing the case.
The investigation page shows the information as a graph. The nodes on the graph identify entities, such as incidents, computers, and users. The admin can click on any entity to get more information about it and see connections to related entities.
The hunting capability consists of a search and query tool that goes through the data sources. It uses the Azure Log Analytics query language. A large number of predefined queries are provided. As a few examples, they can look for attempted access to disabled accounts, modifications of privilege groups, failed logins, anomalous DNS requests, and so on.
By Microsoft’s own statement, Sentinel isn’t ready for production environments yet. However, it provides additional motivation to adopt or increase use of Azure Log Analytics. Sentinel builds on that service, so organizations that use it will be in a good position to add its higher-level features when they’re available. Learning about the features and trying them out in a test infrastructure will let administrators be ready when Sentinel is available for heavy-duty use.